mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
Acrolinx enhancement
This commit is contained in:
Siddarth Mandalika
parent
553def6e7b
commit
4e0f1add65
@ -85,9 +85,9 @@ manager: dansimp
|
||||
<!--Description-->
|
||||
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
|
||||
|
||||
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
|
||||
If you enable this policy setting, the Kerberos client searches the forests in this list, if it's unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
|
||||
|
||||
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
|
||||
If you disable or don't configure this policy setting, the Kerberos client doesn't search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name isn't found, NTLM authentication might be used.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -129,11 +129,11 @@ ADMX Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy allows retrieving the cloud Kerberos ticket during the logon.
|
||||
This policy allows retrieving the cloud Kerberos ticket during the sign in.
|
||||
|
||||
- If you disable (0) or do not configure this policy setting, the cloud Kerberos ticket is not retrieved during the logon.
|
||||
- If you disable (0) or don't configure this policy setting, the cloud Kerberos ticket isn't retrieved during the sign in.
|
||||
|
||||
- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the logon.
|
||||
- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the sign in.
|
||||
<!--/Description-->
|
||||
|
||||
<!--SupportedValues-->
|
||||
@ -182,9 +182,9 @@ ADMX Info:
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
|
||||
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
|
||||
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
|
||||
|
||||
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
|
||||
If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -229,14 +229,14 @@ ADMX Info:
|
||||
|
||||
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
|
||||
|
||||
If you enable this policy, you will be able to configure one of four states for each algorithm:
|
||||
If you enable this policy, you'll be able to configure one of four states for each algorithm:
|
||||
|
||||
* **Default**: This sets the algorithm to the recommended state.
|
||||
* **Supported**: This enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
|
||||
* **Audited**: This enables usage of the algorithm and reports an event (ID 205) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.
|
||||
* **Not Supported**: This disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
|
||||
* **Default**: This state sets the algorithm to the recommended state.
|
||||
* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
|
||||
* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
|
||||
* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
|
||||
|
||||
If you disable or do not configure this policy, each algorithm will assume the **Default** state.
|
||||
If you disable or don't configure this policy, each algorithm will assume the **Default** state.
|
||||
|
||||
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
|
||||
|
||||
@ -282,14 +282,14 @@ ADMX Info:
|
||||
<!--Description-->
|
||||
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
|
||||
|
||||
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
|
||||
Warning: When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
|
||||
|
||||
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
|
||||
|
||||
> [!NOTE]
|
||||
> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
|
||||
|
||||
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
|
||||
If you disable or don't configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -333,9 +333,9 @@ ADMX Info:
|
||||
<!--Description-->
|
||||
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
|
||||
|
||||
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
|
||||
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
|
||||
|
||||
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
|
||||
If you disable or don't configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -377,16 +377,16 @@ ADMX Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
|
||||
This policy setting allows you to set the value returned to applications that request the maximum size of the SSPI context token buffer size.
|
||||
|
||||
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
|
||||
|
||||
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
|
||||
|
||||
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
|
||||
If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
|
||||
|
||||
> [!NOTE]
|
||||
> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
|
||||
> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -428,9 +428,9 @@ ADMX Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
|
||||
Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it can't resolve a UPN to a principal.
|
||||
|
||||
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
|
||||
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
|
||||
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
|
||||
@ -77,7 +77,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
|
||||
List of exceptions to the blocked website URLs (with wildcard support). This policy is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
|
||||
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This is
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
|
||||
List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to.
|
||||
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
@ -185,7 +185,7 @@ Configures the default URL kiosk browsers to navigate on launch and restart.
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL.
|
||||
Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL.
|
||||
|
||||
<!--/Description-->
|
||||
<!--/Policy-->
|
||||
@ -292,7 +292,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back).
|
||||
<!--Description-->
|
||||
Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
|
||||
|
||||
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
|
||||
The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser.
|
||||
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Policy CSP - LanmanWorkstation
|
||||
description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest logons to an SMB server.
|
||||
description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server.
|
||||
ms.author: dansimp
|
||||
ms.topic: article
|
||||
ms.prod: w10
|
||||
@ -56,13 +56,13 @@ manager: dansimp
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
|
||||
This policy setting determines if the SMB client will allow insecure guest sign ins to an SMB server.
|
||||
|
||||
If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
|
||||
If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign ins.
|
||||
|
||||
If you disable this policy setting, the SMB client will reject insecure guest logons.
|
||||
If you disable this policy setting, the SMB client will reject insecure guest sign ins.
|
||||
|
||||
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.
|
||||
Insecure guest sign ins are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign ins are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest sign ins by default. Since insecure guest sign ins are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign ins are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign ins and configuring file servers to require authenticated access.
|
||||
|
||||
<!--/Description-->
|
||||
<!--ADMXMapped-->
|
||||
|
||||
@ -201,11 +201,11 @@ manager: dansimp
|
||||
<!--Description-->
|
||||
This policy setting prevents users from adding new Microsoft accounts on this computer.
|
||||
|
||||
If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
|
||||
If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
|
||||
|
||||
If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
|
||||
If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system.
|
||||
|
||||
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
|
||||
If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
|
||||
|
||||
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
@ -220,7 +220,7 @@ GP Info:
|
||||
The following list shows the supported values:
|
||||
|
||||
- 0 - disabled (users will be able to use Microsoft accounts with Windows).
|
||||
- 1 - enabled (users cannot add Microsoft accounts).
|
||||
- 1 - enabled (users can't add Microsoft accounts).
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -350,16 +350,16 @@ The following list shows the supported values:
|
||||
<!--Description-->
|
||||
Accounts: Limit local account use of blank passwords to console logon only
|
||||
|
||||
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
|
||||
This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
|
||||
|
||||
Default: Enabled.
|
||||
|
||||
> [!WARNING]
|
||||
> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
|
||||
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
|
||||
> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers.
|
||||
If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
|
||||
|
||||
This setting does not affect logons that use domain accounts.
|
||||
It is possible for applications that use remote interactive logons to bypass this setting.
|
||||
This setting doesn't affect sign ins that use domain accounts.
|
||||
It's possible for applications that use remote interactive sign ins to bypass this setting.
|
||||
|
||||
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
@ -372,8 +372,8 @@ GP Info:
|
||||
<!--/RegistryMapped-->
|
||||
<!--SupportedValues-->
|
||||
Valid values:
|
||||
- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
|
||||
- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
|
||||
- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console
|
||||
- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -496,9 +496,9 @@ GP Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Devices: Allow undock without having to log on.
|
||||
Devices: Allow undock without having to sign in.
|
||||
|
||||
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
|
||||
This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer.
|
||||
Default: Enabled.
|
||||
|
||||
> [!CAUTION]
|
||||
@ -548,7 +548,7 @@ This security setting determines who is allowed to format and eject removable NT
|
||||
- Administrators
|
||||
- Administrators and Interactive Users
|
||||
|
||||
Default: This policy is not defined and only Administrators have this ability.
|
||||
Default: This policy isn't defined, and only Administrators have this ability.
|
||||
|
||||
<!--/Description-->
|
||||
<!--RegistryMapped-->
|
||||
@ -595,7 +595,7 @@ Default on servers: Enabled.
|
||||
Default on workstations: Disabled
|
||||
|
||||
>[!NOTE]
|
||||
>This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
|
||||
>This setting doesn't affect the ability to add a local printer. This setting doesn't affect Administrators.
|
||||
|
||||
<!--/Description-->
|
||||
<!--RegistryMapped-->
|
||||
@ -640,7 +640,7 @@ This security setting determines whether a CD-ROM is accessible to both local an
|
||||
|
||||
If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
|
||||
|
||||
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
|
||||
Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user.
|
||||
|
||||
<!--/Description-->
|
||||
<!--RegistryMapped-->
|
||||
@ -695,7 +695,7 @@ GP Info:
|
||||
Valid values:
|
||||
- 1 - User display name, domain and user names
|
||||
- 2 - User display name only
|
||||
- 3 - Do not display user information
|
||||
- 3 - Don't display user information
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -731,7 +731,7 @@ Valid values:
|
||||
Interactive logon: Don't display last signed-in
|
||||
|
||||
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
|
||||
If this policy is enabled, the username will not be shown.
|
||||
If this policy is enabled, the username won't be shown.
|
||||
|
||||
If this policy is disabled, the username will be shown.
|
||||
|
||||
@ -749,7 +749,7 @@ GP Info:
|
||||
<!--SupportedValues-->
|
||||
Valid values:
|
||||
- 0 - disabled (username will be shown)
|
||||
- 1 - enabled (username will not be shown)
|
||||
- 1 - enabled (username won't be shown)
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -786,7 +786,7 @@ Interactive logon: Don't display username at sign-in
|
||||
|
||||
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
|
||||
|
||||
If this policy is enabled, the username will not be shown.
|
||||
If this policy is enabled, the username won't be shown.
|
||||
|
||||
If this policy is disabled, the username will be shown.
|
||||
|
||||
@ -804,7 +804,7 @@ GP Info:
|
||||
<!--SupportedValues-->
|
||||
Valid values:
|
||||
- 0 - disabled (username will be shown)
|
||||
- 1 - enabled (username will not be shown)
|
||||
- 1 - enabled (username won't be shown)
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -837,11 +837,11 @@ Valid values:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Interactive logon: Do not require CTRL+ALT+DEL
|
||||
Interactive logon: Don't require CTRL+ALT+DEL
|
||||
|
||||
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
|
||||
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in.
|
||||
|
||||
If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
|
||||
If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to sign in. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users sign in ensures that users are communicating through a trusted path when entering their passwords.
|
||||
|
||||
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
|
||||
|
||||
@ -860,7 +860,7 @@ GP Info:
|
||||
<!--SupportedValues-->
|
||||
Valid values:
|
||||
- 0 - disabled
|
||||
- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
|
||||
- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in)
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -895,7 +895,7 @@ Valid values:
|
||||
<!--Description-->
|
||||
Interactive logon: Machine inactivity limit.
|
||||
|
||||
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
|
||||
Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
|
||||
|
||||
Default: not enforced.
|
||||
|
||||
@ -909,7 +909,7 @@ GP Info:
|
||||
|
||||
<!--/RegistryMapped-->
|
||||
<!--SupportedValues-->
|
||||
Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
|
||||
Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it's set to zero (0), the setting is disabled.
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -942,9 +942,9 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Interactive logon: Message text for users attempting to log on
|
||||
Interactive logon: Message text for users attempting to sign in
|
||||
|
||||
This security setting specifies a text message that is displayed to users when they log on.
|
||||
This security setting specifies a text message that is displayed to users when they sign in.
|
||||
|
||||
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
|
||||
|
||||
@ -989,9 +989,9 @@ GP Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Interactive logon: Message title for users attempting to log on
|
||||
Interactive logon: Message title for users attempting to sign in
|
||||
|
||||
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
|
||||
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in.
|
||||
|
||||
Default: No message.
|
||||
|
||||
@ -1047,14 +1047,14 @@ The options are:
|
||||
|
||||
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
|
||||
|
||||
If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
|
||||
If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed.
|
||||
|
||||
If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
|
||||
If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation.
|
||||
|
||||
> [!NOTE]
|
||||
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
|
||||
|
||||
Default: This policy is not defined, which means that the system treats it as No action.
|
||||
Default: This policy isn't defined, which means that the system treats it as No action.
|
||||
|
||||
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
|
||||
|
||||
@ -1098,7 +1098,7 @@ Microsoft network client: Digitally sign communications (always)
|
||||
|
||||
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
|
||||
|
||||
If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
|
||||
If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
|
||||
|
||||
Default: Disabled.
|
||||
|
||||
@ -1208,7 +1208,7 @@ GP Info:
|
||||
<!--Description-->
|
||||
Microsoft network client: Send unencrypted password to connect to third-party SMB servers
|
||||
|
||||
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
|
||||
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication.
|
||||
|
||||
Sending unencrypted passwords is a security risk.
|
||||
|
||||
@ -1263,7 +1263,7 @@ Administrators can use this policy to control when a computer suspends an inacti
|
||||
|
||||
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
|
||||
|
||||
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
|
||||
Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
|
||||
|
||||
<!--/Description-->
|
||||
<!--RegistryMapped-->
|
||||
@ -1317,7 +1317,7 @@ This security setting determines whether packet signing is required by the SMB s
|
||||
|
||||
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
|
||||
|
||||
If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
|
||||
If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
|
||||
|
||||
Default: Disabled for member servers. Enabled for domain controllers.
|
||||
|
||||
@ -1328,7 +1328,7 @@ Default: Disabled for member servers. Enabled for domain controllers.
|
||||
> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
|
||||
> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
|
||||
>
|
||||
> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
|
||||
> Similarly, if client-side SMB signing is required, that client won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
|
||||
> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
|
||||
> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
|
||||
|
||||
@ -1427,16 +1427,16 @@ GP Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Network access: Do not allow anonymous enumeration of SAM accounts
|
||||
Network access: Don't allow anonymous enumeration of SAM accounts
|
||||
|
||||
This security setting determines what additional permissions will be granted for anonymous connections to the computer.
|
||||
This security setting determines what other permissions will be granted for anonymous connections to the computer.
|
||||
|
||||
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
|
||||
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust.
|
||||
|
||||
This security option allows additional restrictions to be placed on anonymous connections as follows:
|
||||
This security option allows more restrictions to be placed on anonymous connections as follows:
|
||||
|
||||
Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
|
||||
Disabled: No additional restrictions. Rely on default permissions.
|
||||
Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
|
||||
Disabled: No extra restrictions. Rely on default permissions.
|
||||
|
||||
Default on workstations: Enabled.
|
||||
Default on server: Enabled.
|
||||
@ -1481,11 +1481,11 @@ GP Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Network access: Do not allow anonymous enumeration of SAM accounts and shares
|
||||
Network access: Don't allow anonymous enumeration of SAM accounts and shares
|
||||
|
||||
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
|
||||
|
||||
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
|
||||
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
|
||||
|
||||
Default: Disabled.
|
||||
|
||||
@ -1667,7 +1667,7 @@ Valid values:
|
||||
<!--Description-->
|
||||
Network security: Allow PKU2U authentication requests to this computer to use online identities.
|
||||
|
||||
This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
|
||||
This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine.
|
||||
|
||||
|
||||
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
||||
@ -1715,9 +1715,9 @@ Valid values:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Network security: Do not store LAN Manager hash value on next password change
|
||||
Network security: Don't store LAN Manager hash value on next password change
|
||||
|
||||
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
|
||||
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked.
|
||||
|
||||
|
||||
Default on Windows Vista and above: Enabled
|
||||
@ -1825,8 +1825,8 @@ Network security: Minimum session security for NTLM SSP based (including secure
|
||||
|
||||
This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
|
||||
|
||||
- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
|
||||
- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
|
||||
- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
|
||||
- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated.
|
||||
|
||||
Default:
|
||||
|
||||
@ -1875,8 +1875,8 @@ Network security: Minimum session security for NTLM SSP based (including secure
|
||||
|
||||
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
|
||||
|
||||
Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
|
||||
Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
|
||||
Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
|
||||
Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated.
|
||||
|
||||
Default:
|
||||
|
||||
@ -1927,7 +1927,7 @@ This policy setting allows you to create an exception list of remote servers to
|
||||
|
||||
If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
|
||||
|
||||
If you do not configure this policy setting, no exceptions will be applied.
|
||||
If you don't configure this policy setting, no exceptions will be applied.
|
||||
|
||||
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character.
|
||||
|
||||
@ -1981,7 +1981,7 @@ Network security: Restrict NTLM: Audit Incoming NTLM Traffic
|
||||
|
||||
This policy setting allows you to audit incoming NTLM traffic.
|
||||
|
||||
If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
|
||||
If you select "Disable", or don't configure this policy setting, the server won't log events for incoming NTLM traffic.
|
||||
|
||||
If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
|
||||
|
||||
@ -2042,9 +2042,9 @@ Network security: Restrict NTLM: Incoming NTLM traffic
|
||||
|
||||
This policy setting allows you to deny or allow incoming NTLM traffic.
|
||||
|
||||
If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
|
||||
If you select "Allow all" or don't configure this policy setting, the server will allow all NTLM authentication requests.
|
||||
|
||||
If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
|
||||
If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain sign in and display an NTLM blocked error, but allow local account sign in.
|
||||
|
||||
If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
|
||||
|
||||
@ -2103,11 +2103,11 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
|
||||
|
||||
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
|
||||
|
||||
If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
|
||||
If you select "Allow all" or don't configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
|
||||
|
||||
If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
|
||||
If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This logging allows you to identify those servers receiving NTLM authentication requests from the client computer.
|
||||
|
||||
If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
|
||||
If you select "Deny all," the client computer can't authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
|
||||
|
||||
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
|
||||
|
||||
@ -2160,13 +2160,13 @@ GP Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
Shutdown: Allow system to be shut down without having to log on
|
||||
Shutdown: Allow system to be shut down without having to sign in
|
||||
|
||||
This security setting determines whether a computer can be shut down without having to log on to Windows.
|
||||
This security setting determines whether a computer can be shut down without having to sign in to Windows.
|
||||
|
||||
When this policy is enabled, the Shut Down command is available on the Windows logon screen.
|
||||
|
||||
When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
|
||||
When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
|
||||
|
||||
Default on workstations: Enabled.
|
||||
Default on servers: Disabled.
|
||||
@ -2183,7 +2183,7 @@ GP Info:
|
||||
<!--SupportedValues-->
|
||||
Valid values:
|
||||
- 0 - disabled
|
||||
- 1 - enabled (allow system to be shut down without having to log on)
|
||||
- 1 - enabled (allow system to be shut down without having to sign in)
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--/Policy-->
|
||||
@ -2220,7 +2220,7 @@ Shutdown: Clear virtual memory pagefile
|
||||
|
||||
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
|
||||
|
||||
Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.
|
||||
Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to ensure that the system pagefile is wiped clean when this system shuts down. This cleaning ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile.
|
||||
|
||||
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
|
||||
|
||||
@ -2267,7 +2267,7 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou
|
||||
|
||||
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
|
||||
|
||||
Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
|
||||
Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
|
||||
|
||||
Disabled: (Default)
|
||||
|
||||
@ -2437,7 +2437,7 @@ The options are:
|
||||
|
||||
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
|
||||
|
||||
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
|
||||
Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
|
||||
|
||||
<!--/Description-->
|
||||
<!--RegistryMapped-->
|
||||
@ -2481,8 +2481,8 @@ User Account Control: Only elevate executable files that are signed and validate
|
||||
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
|
||||
|
||||
The options are:
|
||||
- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
|
||||
- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
|
||||
- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run.
|
||||
- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run.
|
||||
|
||||
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
@ -2525,7 +2525,7 @@ GP Info:
|
||||
<!--Description-->
|
||||
User Account Control: Only elevate UIAccess applications that are installed in secure locations
|
||||
|
||||
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
|
||||
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations:
|
||||
|
||||
- .\Program Files\, including subfolders
|
||||
- .\Windows\system32\
|
||||
@ -2535,7 +2535,7 @@ This policy setting controls whether applications that request to run with a Use
|
||||
> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
|
||||
|
||||
The options are:
|
||||
- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
|
||||
- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
|
||||
- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
|
||||
|
||||
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
@ -70,7 +70,7 @@ ADMX Info:
|
||||
<!--SupportedValues-->
|
||||
The following list shows the supported values:
|
||||
|
||||
- 0 - message sync is not allowed and cannot be changed by the user.
|
||||
- 0 - message sync isn't allowed and can't be changed by the user.
|
||||
- 1 - message sync is allowed. The user can change this setting.
|
||||
|
||||
<!--/SupportedValues-->
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user